Scene description
When deploying static web pages using Nginx, users need to be restricted for security reasons. Nginx enables you to restrict Access with HTTP Basic Authentication by following the following simple steps:
Htpasswd -c /etc/nginx/htpasswd hello // Nginx location/API {auth_basic "Login"; auth_basic_user_file /etc/nginx/htpasswd; . }Copy the codeOnce configured, you will see a login box
Scenario analysis
How does the browser know to log in?
A quick comparison of Nginx responses before and after auth_BASIC was configured.
If auth_basic is configured, the statusCode will change to 401 for the first time and the response header will be added to the reponse header:
WWW-Authenticate: Basic realm="Login"
Copy the code401 is easier to understand, it just doesn’t have access. But what is WWW-authenticate?
HTTP authentication covers:
RFC 7235 defines an HTTP authentication framework that a server can use to send a challenge (challenge message) in response to a client request, and a client can use to provide authentication credentials. The challenge-response process is as follows: The server returns an 401 (Unauthorized) status code to the client and provides information about how to Authenticate on the WWW-Authenticate header, which includes at least one challenge-response method. After that, the client that intends to prove its identity can add the Authorization head field to the new request for authentication, and the field value is the authentication certificate information. Typically, the client pops up a password box for the user to fill in, and then sends a request with the appropriate Authorization head.
Www-authenticate is a standard response header that tells the browser to Authenticate the request. During the actual test, it is available in common browsers but not in wechat. You can control whether Http authentication is enabled in Webview by code.
Www-authenticate values are composed of two parts:
WWW-Authenticate: <type> realm=<realm>
Copy the codeHypertext Transfer Protocol (HTTP) Authentication Scheme Registry I need to use What is the “realm” in basic authentication
What is the verification process like?
After you enter the user name and password in the browser, the browser converts the user name and password in the following format:
base64(<userName>:<password>)
Copy the codeIt is then passed in the request header
atobDecoding base64, the above key decoding data is:
/etc/ Nginx /htpasswd
Implement a simple authentication service using Node
Using Node implementation is also relatively simple, the core is statusCode + request header information Settings, simple demo for:
Const HTTP = the require (" HTTP ") HTTP. CreateServer ((the req, res) = > {the if (the req. Headers. Authorization) {/ / can parse the content inside, Res.write ('hello world') return res.end()} res.statuscode = 401 res.setheader (' www-authenticate ', 'Basic realm="Login"') res.end() }) .listen(8132)Copy the codeResults as follows:
conclusion
By using WWW-authenticate authentication specification provided by Http, combined with the authentication function provided by Nginx, it is very simple to achieve a simple login authentication process, and browser authentication is session level, that is to say, as long as the browser is not closed, there is no need to re-authenticate, there is a certain degree of security, The experience is also good.